In Pictures: Welcome to the smart home ... of horror!

Security issues are darkening the future of home automation and the Internet of things

Home automation horror stories!
Breathless is the prose that's usually deployed to describe our Jetsons-like future of automated homes, smart appliances, and the IoT (Internet of things). When all of our gadgets and doohickeys are networked, online, and talking with one another, we'll enter a new golden age of efficiency and comfort ... or so we're told, principally by those selling said gadgets and doohickeys.
But there is a dark side: When your refrigerator, thermostat, or home security camera is plugged into a network, it becomes vulnerable to the same dangers that threaten any networked machine -- hackers, voyeurs, malware, breakdowns, botnets, and disruptions. After all, the universe tends toward entropy -- and bad guys will always be out there -- no matter how space-age our homes become.
In fact, smart home devices are potentially much more vulnerable to attacks and disruptions than traditional computing devices like PCs, laptops, phones, or tablets. The cyber security industry is only recently putting serious resources into the fight, giving hackers the upper hand. Who's going to patch and upgrade all this stuff? And privacy issues get really weird when companies are providing things like, yes, online toilets. We take a look at some real-world home automation horror stories that have made headlines recently.

Is it getting hot in here?
Click around online and you'll find plenty on anecdotal evidence on the dangers of Wi-Fi-enabled thermostats. The thinking behind such setups is that you can optimize heating and cooling in your connected home when you're away. But if someone else were to hack in and grab the virtual thermostat, well, things could get uncomfortable.
Last year, an infamous Amazon product review of Honeywell's smart thermostat system made the viral rounds. It seems a disgruntled ex-husband took revenge on his former wife -- and her new live-in boyfriend -- by remotely messing with the thermostat in his previous home: "When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be."
Stories like these -- endlessly forwarded but essentially unverifiable -- represent a sort of emerging category of urban legend. Legitimate or not, they spook potential adopters of connected home technology.

Lock your doors (and thermostats)
Naturally, the industry is concerned about these worries from their pool of future customers. Nest Labs, acquired last year by Google, has a dedicated engineering team focused on security threats to its thermostat system. The company keeps a security policy and FAQ page on its website, and it encourages security researchers to flag vulnerabilities.
A few months ago, security company TrapX did exactly that, publicizing a research study in which engineers were able to access data stored on the Nest thermostat. The thermostat was then used as a jumping-off point to gain control of other connected devices in the home. Significantly, the breach required physical access to the Nest thermostat -- specifically the USB port -- and there is no evidence that such a breach has ever occurred in the wild.
But the threat is still legitimate, TrapX insists, if for instance someone were to buy a used Nest or if the hacker otherwise had physical access to the device -- as in the case of the disgruntled ex-husband.

Hacking baby monitors?
It's a nightmare scenario for parents: In April 2014, Heather Schreck was asleep in her suburban Cincinnati home when she heard a man's voice yelling at her 10-month-old daughter in the next room. When Heather and her husband entered the room, they discovered that someone had hacked into their Internet-connected baby monitor and was yelling obscenities at the baby.
In a particularly chilling detail, the baby monitor even moved, swinging the camera around to face the parents -- creepy! When the incident broke into the national news, the maker of the $200 baby monitor, Foscam, conceded that similar incidents had happened before. It's been known for a while, in security circles, that hackers and online thrill riders can search for public IP addresses and access baby monitor cameras and other kinds of webcams. Foscam recommended keeping the device's firmware updated.

A directory for hackable webcams?
Naturally, the hacking of in-home security cameras is one of the scarier aspects of home automation vulnerability. Last year, reports surfaced about a security vulnerability in TRENDnet streaming IP cameras that allowed would-be voyeurs to peek into homes and offices. The vulnerability, once publicized, triggered a kind of extemporaneous awareness campaign in which directories of vulnerable camera feeds were posted online.
In the wave of reports that followed, hundreds of images were posted that suggested the unnerving scope of the problem. Photos and even live video feeds of living rooms, kitchens, home offices, and backyards appeared on websites and forums, with the idea that exposing the issue would lead to quicker remedies. At one point, someone even created an interactive Google Map that posted the actual locations of each vulnerable IP camera. The map was quickly disabled, but it illustrates how quickly a camera in your smart home could potentially become instantly, globally accessible.

Breaking and entering
In 2013, Forbes writer Kashmir Hill published a fascinating and very scary account concerning a string of virtual home invasions -- with Hill herself as the hacker. Having been alerted to security flaws in an Insteon home automation system, Hill was able to remotely access eight different homes through a simple search engine query. The search revealed smart home access points completely unprotected by even a simple password.
Hill found she was able to turn lights on and off and otherwise manipulate home automation systems that allow remote control of televisions, cameras, water pumps, fans, and even the hot tub. "I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets," Hill writes. "Opening a garage door could make a house ripe for actual physical intrusion." Insteon responded that the product in question had been discontinued, and the security issues subsequently fixed.

Flushing out the problem
As any visitor to Tokyo can tell you, Japan is years ahead of other countries in one very specific area of home appliance technology: the toilet. No kidding, the Japanese take their bathroom experience very seriously. It's estimated that around 70 percent of Japanese homes have so-called enhanced toilets with heated seats, remote control features, and bidet functions. (Only about 30 percent of Japanese households, meanwhile, have a dishwasher.)
The obvious and uncomfortable question thus presents itself: Is it possible for hackers to gain control of your toilet? The answer is yes, according to security company Trustwave, which issued an advisory on the Bluetooth-enabled Satis toilet a couple years back. The Satis toilet comes with an Android app for triggering the bidet and drying options -- or playing a custom music playlist -- while you're, you know, sitting there.
From the Trustwave advisory: "An attacker could simply download the My Satis application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user." Yes, that would be distressing.

Hackers recruiting refrigerators?
The term "botnet" is often used to refer to hacking attacks in which otherwise innocent computers are hijacked to send spam or launch denial-of-service attacks. Traditionally, hackers have targeted PCs, laptops, or tablets for these shanghai operations, but that could very well change with the dawning of the Internet of things.
In January of last year, security service Proofpoint issued a report about what they termed the first proven IoT-based cyber attack involving conventional household smart appliances. The coordinated attack campaign used the computing power of more than 100,000 everyday consumer appliances, including Internet-enabled home theater systems, TVs, home network routers, and at least one smart refrigerator. The attack featured waves of malicious email -- sent in bursts of 100,000 -- targeting businesses and individuals worldwide. In the report, Proofpoint warned that such "thingbot" networks are likely to become more popular with hackers since IoT devices are typically poorly protected and easier to infect than PCs.

How many automated systems does it take to screw in a light bulb?
Home automation horror stories don't always have to involve malicious hackers or peeping toms. Sometimes, the scary stuff can just happen by accident. To wit: The curious case of the space-age smart home that was felled by a single burned-out lightbulb.
A few years back, computer science professor Raul Rojas outfitted his two-story house in suburban Berlin with a seriously ambitious automation system. Rojas specializes in robotics and artificial intelligence, so his smart home featured domestic bots that would patrol the home, vacuum, and even mow the lawn. All of Rojas' household appliances were Internet-connected so that lights, TV, stove, microwave, and the central air system could be controlled remotely.
It all worked great, until one day it didn't, and Rojas' entire house essentially froze up. After some investigation, Rojas discovered that a single burned-out light fixture was sending constant data packets to the network's central hub, requesting a fix. It was a kind of accidental denial-of-service attack and an example of how smart homes can potentially out-think themselves.

Future horror stories
It's pretty much a sure bet that the scariest stories are still to come. The Internet of things is in the nascent stage, and the smart home is only getting started. For most of us, only our computers and phones are Internet-connected -- and look at the security and privacy issues we wrestle with daily. When virtually everything is connected to the Internet -- our cars, our appliances, our clothes -- the outlook is likely to get very scary, very quickly.
In a recent interview with NetworkWorld, security expert Bruce Schneier was not optimistic. "This is very much like the computer field in the '90s," he says. "No one’s paying any attention to security, no one’s doing updates, no one knows anything -- it’s all really, really bad and it’s going to come crashing down.... There will be vulnerabilities, they’ll be exploited by bad guys, and there will be no way to patch them."
On the upside, we will be able to stream music playlists through our smart toilets, so we have that going for us ... which is nice.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.